RUNNING HEAD: Patch Management 1

Title: Patch Management

Name:

Date:

University name:

Course name:

Course number:

Professor name:
Patch Management 2

Abstract:

Patch management process is the subsequent releasing of patches to fix

mistakes in the software of an application or the software of the operating system. It is

released after every specific period of time or it can be released during any emergency when

there is a threat of cyber-attack. In order to facilitate the prompt notification, delivery, and

installation of updates, the software industry has responded with update and patch

management systems. Because of the proprietary nature of these systems, improvement

efforts by academic researchers are greatly restricted. At the core of the maintenance phase of

the software development life cycle are the issuance of patches (software fixes) and updates

(a collection of fixes and improvements) to resolve system faults, flaws (bugs), and security

holes in an attempt to extend the functional life of a software product. Due to the time and

effort required to assess, locate, and acquire these updates, this on-going effort is often

delayed or over-looked by users and system administrators until some urgency or incident

occurs that prompts a swift response. In recent years, software manufacturers have typically

provided access to their product updates via the Internet (i.e., website, ftp, e-mail, bulletin

boards and newsgroups). In this paper, we discuss the patch management policy designed by

three frequently used applications and we will determine their adequacy by comparing them

with their alternative applications.

Introduction:

Patching, in layman’s term, is simply fixing the errors that are inadvertently

made and needs to be corrected. Modern software and applications are enormously complex

and are very difficult to make, and as a result mistakes do happen which are slowly

discovered after every time the company reviews their software or application. When these

mistakes are discovered, the developers have to go back and apply effects to correct those
Patch Management 3

mistakes. These effects are commonly known as patches. In today’s era of technology, most

people would know of this phenomenon in form of the system update pop-up that appears on

our smart phone and computers, or even in the form of messages we receive to update the

applications that we have installed. These pop-ups mean that, for some reason, the software

or application that we are provided with is faulty in some way and needs to be updated to fix

that mistake. Perhaps there was an error in the code that was released or some other kind of

issue. When that happens, the developers apply a patch where there is a mistake in the

software or application. It is of utmost importance that we install the updates as soon as they

are made available because even one faulty application can make the whole system

vulnerable. Common areas that need patches include operating systems, such as windows,

android, Linux, etc., applications that we normally use in our daily life such as zoom,

WhatsApp and Microsoft, and the vendor that frequently needs patches is the network

equipment, which includes our speakers and video camera. These equipment also use

software and needs to be patched to ensure that our devices our devices are protected from

the outside exploitation. (“What is patch management? Benefits and best practices”, 2020).

The type of vendors for patch management that will be discussed in this paper are

applications.

Patch management is one part of the vulnerability management program

framework of the system. It is not only important for the security purposes but also for a

number of other key factors. Patch management revises the vulnerabilities present in our

computer and mobile software or in the applications that are prone to cyber-attacks, and

hence helping to reduce security risk. Apart from this, it ensures that the software and

applications are up-to- date and running smoothly. This continued product upgradation and

maintenance keeps the customers happy and satisfied with the application, resulting in an

economic productivity of the developer. Patch management is also an important feature for
Patch Management 4

the applications to keep in compliance with the notational legislation in place to avoid cyber-

attacks, which are becoming increasingly common in this era. Apart from fixing the bugs in

an application, patch management plays an important role in actually bringing new features

and upgrades in the applications for customers satisfaction.

In this paper we will focus on the patch management practices of various

frequently used applications. These are the applications that needs to constantly up-to-date

and maintained since we used them a lot. If not routinely patched, they pose a serious security

risk to our devices. Some of the key questions that will be answered in this paper are listed

below:

1. What are the patch management policies of the three selected applications?

2. In what ways these applications address patch management and how do they

inform the clients about the new vulnerabilities?

3. What is the comparison of the patch management system of these selected

applications with their alternatives?

4. Are the patch management processes of these applications adequate to

prevent any cyber-attack?

A solid patch management policy will enable an organization to roll out

patches efficiently. This includes detecting which components in the system require a patch,

prioritizing them, and testing the patches to ensure that they are compatible with the rest of

the software projects and processes so that the software development life cycle continues

without disruption. As the number of security vulnerabilities continues to rise, it’s important

that organizations have a patch management policy in place. It helps companies map out all

the logistics involved in the patch management process so that teams can handle security

patch rollouts like a well-oiled machine.

Patch Management 5

Background/ History:

Every application has a patch management policy in place. This ensures

that the application keeps running smoothly and the users do not face any difficulty. Patch

management policy includes how often patches are provides, the prioritization of the

availability of these patches, and the ways to test, monitor and report each of these new

patches. (Goldstein, A, 2020). Not all vulnerabilities pose a significant security risk and thus

does not require immediate patching. The developers need to look that whether the

vulnerability that is detected carries a critical danger, high danger, medium level of danger or

low level of danger. With this information, they prioritize on when the patches should be

provided to the users. (Gabriel, A, 2019). In this section of the paper, we will discuss the

patch policy of Microsoft Office, Zoom and Bizaggi modeler and their adequacy as compared

to the patch policy of their alternatives.

Microsoft office has a very comprehensive patch management policy.

Once their patches are made available, they are not assessable by the Windows update as was

the norm previously, but instead they create the patched version of the application and puts it

on Office Content Delivery Network (CDN) on the internet. The frequency of the updates is

determined by the user instead of the developer until or unless the patches are of critical risk

to the user, in which case the updates need to be done immediately. (Microsoft 365, 2021).

The users are provided with three primary channels of update that they can use namely,

Current channel, monthly enterprise channel and semi-annual enterprise channel. The users

can use any of these channels for updates but the Microsoft app recommends the current
Patch Management 6

channel which provides the users with new Office features as soon as they are ready. The

Microsoft Office app inform the users of the newer vulnerabilities. One of those ways is the

scheduled Office automatic updates 2.0, that is mechanically created when the Microsoft

applications are installed on the device. This scheduled task is configured to look for newer

updates on a regular basis. When the task runs, it compares the Microsoft Office apps on the

users’ device with the version of Microsoft apps available on the update location. If there is a

difference found between the two versions, the update process determines which files need to

be updated and then the downloading process starts.

On the other hand, one of alternative of Microsoft Office is Apache

OpenOffice. They do not have any definite patch management policy in place. According to

the official website of Apache OpenOffice, they encourage the users to “privately” report all

the bugs that they encountered. It is specifically said the users are not to disclose any security

bug to general public in order to avoid any cyber-attack. Once the reporter reports the

vulnerability privately, the appropriate project’s security team works privately with the

reporter to resolve the vulnerability. A new release of the Apache package is made which

includes the patched vulnerability. After this new update is made available, then the public is

informed of the vulnerability.

The next application that we will discuss in this section is Zoom, which is

an app used for video meeting with up to 100 applicants. According to official Zoom website,

Zoom regularly provides new versions of the zoom desktop client and mobile app to release

new features and to fix security bugs. Zoom provides a pop-up notification when there is a

new mandatory or optional update within 24 hours of logging in. If there are no mandatory

updates then the user can check for updates by opening the app, and clicking on the option
Patch Management 7

checking for updates under their profile picture. Zoom has a completely transparent patch

management policy and immediately informs the users of any new vulnerabilities.

The alternative application of zoom that will be discussed is Skype. Skype

uses cloud security as part of their patch management policy. It blocks the usage of risky and

unsanctioned application to provide security for sensitive information. Skype is also an

application of Microsoft Office and hence, it has the same patch management policy as the

Microsoft Office, discussed above. The updates are available monthly and the users are

informed of those patches through the side applications of the Microsoft. The updates are

mandatory to be downloaded as made available if they possess a significant security risk.

The third application that will be discussed over here is Bizaggi modeler,

which enables business and IT teams to transform any business process and deliver end-to-

end digital process automation across the organization. This application does not have any

option for update and neither there is any fixed frequency on when they apply patches to their

software. According to the Bizagi website, they take in account the comments by their users

and then release a new version of the application with a note on their website informing about

the new version. It is the users’ discretion if they want to move on to the new version or keep

using the older version. They have a policy to ensure that the customers’ data is transferred to

the new version if they move on to the latest version. The new version is easily downloadable

from the website download center or the play store on mobiles.

ProcessMaker is the alternative application of Bizagi that is discussed over here. It has a

three-way patch management policy. ProcessMaker releases/fixes are distributed in three

different ways (as an Official Release, Hotfix or Patch), and each one is generated based on

different requirements, including customer request. An Official Release is a major release

that includes substantial changes made to ProcessMaker. It is distributed as a full, standalone

Patch Management 8

product build and includes improvements to all previous official releases and hotfixes,

including; new features, improvements, bug fixes, security fixes, major changes and changes

in database schema. Official Releases can be installed by Making a brand-new installation.

Hotfix is a cumulative package generated over a previous Official Release and created based

on customer requests. Hotfixes are incremental and include the improvements in previous

Hotfixes and Patches. These improvements may include; new features, bug fixes, security

fixes, and changes in database schema. However, major changes (backward incompatible

changes) are not included. Hotfixes are distributed / communicated only to current customers.

A Patch is designed to update the Official Release with improvements. Patches are created

based on customer request and are released between Hotfixes. Patches are generated over

previously released Official Releases and Hotfixes, are incremental and include

improvements in previous patches. Patches are distributed only to clients that requested a

specific bug fix or urgent feature.

Discussion:

In this section of the research paper, we will discuss the comparison

between the adequacy of the patch management policy of the three selected applications and

their alternative applications.

Microsoft office and Apache OpenOffice are both reasonably secure as

long as you follow standard security procedures. It is very important that all the install

updates and patches are installed as soon as they are released in conjunction with the timely

installation of firewalls, antivirus and anti-spyware software. The open-source community

publicizes possible security issues with both open-source tools — allowing users to protect

themselves and hackers to potentially exploit issues. In contrast, Microsoft keeps security

issues closely guarded in an effort to prevent hackers from finding out about them. (Rivas, D,
Patch Management 9

2016) Though, the patch management policy of Microsoft is much more organized. The users

are much more aware on when to expect the next update and from where to install that

update.

Zoom is a cloud-based video conferencing application. Its patch

management policy was put on test last year, at the start of pandemic, and zoom policy

passed the test with flying colors when it quickly fixed the privacy issue of eavesdroppers

listening in to private conversations. The patches were made available quickly and the users

were also made to install the new version if they want to continue using the app. On the other

hand, patch management policy of skype is also very fool-proof and keeps the users in loops

regarding any new vulnerability that arises. These measures from both applications keep the

customers happy and help them understand the level of risk that they are in danger of if they

do not install the latest patches. If the risk is critical, the users are unable to further use the

application without installing the patch. if the risk is high, the user is given a specific period

of time in which they have to install the patches. If the risk is medium or low, the users can

install the updates on their own discretion. Hence, both of these applications are relatively

secure and have a proper patch management policy. It is up to the users how they use them

and if they timely install the new updates.

The comparison between the adequacy of patch management of

ProcessMaker and Bizagi modeler is quite simple. ProcessMaker has a much-distinguished

policy. It releases new updates frequently and the user does not have to install the whole

application again in order to get those updates. They can simply install the new features only.

Apart from this frequent update schedule, the users can also ask for custom-made patches,

requesting for newer and better features. This helps them to have a flexibility in their

approach that Bizagi modeler can not afford to have. Bizagi does not offer updates but
Patch Management 10

instead releases new editions of their website, that too very infrequently. In order to have the

new features, the users have to install the whole application again. The new features can not

be integrated into the previous application.

Conclusion:

Patch management is a task that can require a great deal of time and

resources, and it is often difficult to get an overview of your assets and applications, prioritize

patches, and even to be able to swiftly patch critical programs and systems. Companies need

to be able to manage patches as efficiently as possible, otherwise they could have a huge

negative impact on their productivity, as well as their cybersecurity. 24.1%¹ of vulnerabilities

belong to five companies: Software in the Public Interest (SPI), SUSE, Oracle, IBM, and

Microsoft. The most widely used third-party applications are the main target for hackers.

According to the Common Vulnerabilities and Exposures (CVE²) index, applications like

Java, Adobe, Google Chrome, Mozilla Firefox, and OpenOffice, among others, have the

highest number of vulnerabilities. (Panda Patch Management, 2018)

Patch management is the process by which organizations, or more

specifically their IT departments, download and install patches (changes in code or data)

intended to update, optimize, or secure software, computers, servers, and systems. The aim is

to make sure these components work properly or to mitigate security vulnerabilities.

Although it might seem like a simple task, most companies struggle to identify which critical

patch updates they need to install first. Therefore, prioritizing patches is key for

administrators.

There are different kinds of patches, and each of them is developed for a

specific purpose: to correct a bug or specific vulnerability. Security patches affect both
Patch Management 11

operating systems and third-party software: A security patch is a change made to an

application or program in order to fix a bugs or flaws that cause vulnerabilities. Applying this

kind of patch prevents vulnerabilities from being exploited or will eliminate or mitigate the

ability of threats to exploit a vulnerability in an asset. Service Pack (SP) or Feature Pack (FP)

are other type of patches. They are important patches that comprise a collection of updates,

fixes, or feature enhancements for a piece of software. They tend to solve a lot of pending

problems, and usually include all the patches, hotfixes, maintenance and security patches

released before the service pack.

It is of utmost importance that the patches are installed immediately after

there release. This helps the user to be safe from any unauthorized access and prevents any

cyber-attacks. Not only the patches provide security updates but also provides exciting new

features of the application. Thus, patch management processes are extremely important for

applications as well as the software.

Patch Management 12

References:

Microsoft 365. (2021). Overview of the update process for Microsoft

365 app. Retrieved from: https://docs.microsoft.com/en-us/deployoffice/overview-update-

process-microsoft-365-apps

Zoom help center. Upgrade/ update to the latest version. Retrieved from:

https://support.zoom.us/hc/en-us/articles/201362233-Upgrade-update-to-the-latest-version

Rapid7. (2020). Patch management: benefits and best practices.

Retrieved from: https://www.rapid7.com/fundamentals/patch-management/#:~:text=Patch

%20management%20is%20the%20process,bugs%E2%80%9D)%20in%20the%20software.

Apache software foundation. Reporting a vulnerability. Retrieved from:

https://www.apache.org/security/

ProcessMaker. Official release, hotfix and patch distribution policies.

Retrieved from:

https://wiki.processmaker.com/3.0/Official_Release_Hotfix_and_Patch_Distribution_Policies

Bizagi update process. Retrieved from:

https://feedback.bizagi.com/en/topic/how-can-i-update-to-a-newer-version-of-bizagi-process-

modeler
Patch Management 13

Rivas, D. (2016, May 11). Microsoft Office vs. OpenOffice.org.

retrieved from: https://www.techsoup.org/support/articles-and-how-tos/ms-office-vs-

openoffice